Gawker Lessons Not Learned

By Fahmida Y. Rashid |
Posted 2011-03-01

HBGary Federal CEO Aaron Barr Quits Due to Anonymous Attack

The embattled CEO of HBGary Federal has resigned his post three weeks after Anonmyous hacked into the company's
network and stole thousands of e-mail messages. The ease Anonymous conducted
the attack left the company that provides security services to the federal
government red-faced.

CEO Aaron Barr told Threatpost
on Feb. 28 that he's stepping down to help the company regain its reputation
and to improve his own.

"[G]iven that I've been the focus of much bad press, I
hope that, by leaving, HBGary and HBGary Federal can get away from some of
that. I'm confident they'll be able to weather this storm," Barr told
Threatpost.

HBGary Federal declined comment.

At least one member of Anonymous saw it as a victory. "Aaron
Barr has quit! Join our party on IRC," Topiary, an Anonymous
"supporter" posted on Twitter. "It seems Aaron's fate currently lies in a trash
can, reminiscing of the times he thought he took down Anon," Topiarty added,
referring to a "Where will Aaron Barr be in 6 months time?" online poll. The comments left
on AnonNewsSite
were far more gleeful. "At least we destroyed him in anonymous style," wrote
one commenter.

Barr had bragged to the Financial Times on Feb. 4 that the
company had identified some "leaders" of the hacktivist group behind several
denial-of-service attacks on Visa, MasterCard and PayPal. He'd planned to unmask
them at B-Sides Security Conference, a parallel event to the RSA
Conference in San Francisco.

Anonmyous
retaliated Feb. 7 by exploiting weak passwords and unpatched servers to
steal 71,000 e-mails from both HBGary Federal and its sister firm HBGary. Using
both a SQL injection attack and social engineering, the hackers gained access
to the Web and e-mail servers as well as the Rootkit.com domain, a site
launched by HBGary founder Greg Hoaglund for discussion and analysis of rootkits
and related technology.

The attackers deleted gigabytes of research and support
documentation, defaced Barr's Twitter account and grabbed a decompiled copy of
Stuxnet which the researchers had been analyzing. The e-mails have been posted
for public viewing, WikiLeaks-style, at anonleaks.ch and a Github repository was
created for the "first public Stuxnet decompile."

HBGary offers a range of computer forensics products, malware
analysis tools and security services such as implementing intrusion prevention
systems, performing vulnerability assessment and penetration testing. Anonymous
highlighted that even security experts can make basic mistakes when securing
their environment, according to the attack details outlined by Ars
Technica.

The Ars Technica article listed basic mistakes that contradicted
best practices, such as unpatched servers and using easily-compromised hashes
to store passwords. Even more tellingly, Barr and Ted Vera, the chief operating
officer of HBGary Federal, had been re-using a simple password across
multiple systems.

Senior executives should be held to the same level of
security as regular employees, Andrew Jaquith, CTO of another security firm,
Perimeter E-Security, recently told eWEEK. Executives actually "need to be
safer than most," he said.

In this case, Anonymous had used a SQL injection attack to
compromise the custom content management system powering HBGary Federal's Web
site. The attack URL contained two parameters the CMS handled incorrectly,
allowing hackers to retrieve the list of usernames, e-mail addresses and MD5 password
hashes from the user database. Attackers were able to crack passwords belonging
to Barr and Vera because the passwords were too weak with six lower case
letters and two numbers, reported Ars Technica.

Gawker Lessons Not Learned

The massive data
breach on Gawker in December revealed nearly 30 percent people tended to
use the same password across multiple sites, a security no-no. It turned out
both Barr and Vera were no better, using the same password for e-mail, Twitter,
and other systems. Barr had used the same password for his
e-mail account, and as the administrator, had access to all the company's mail
and other users' mailboxes, giving Anonymous full access to all the e-mails.

Vera had also used the same password on the company's
support server. The attack could have easily stalled there as Vera didn't have
any administrative rights, except the IT team had not patched the privilege
escalation vulnerability in the Linux kernel. The flaw had been identified in
October, and patches released a month later. With full access on the box, the
attackers discovered gigabytes of backups and research data, which they
promptly deleted.

The Anonymous hack used standard, widely known techniques to
compromise a system, collect information and use the collected data to
compromise additional systems. It didn't matter if most of the employees had
complex passwords, because the attackers needed to crack just one password to
gain access.

Barr and HBGary Federal was embroiled in another controversy
as the contents of its e-mails were publicized, revealing various dirty tricks the
company engaged on behalf of clients such as law firms, banks, and the U.S.
Chamber of Commerce. Some of the proposals listed borderline illegal tactics
aimed at discrediting WikiLeaks, including cyberattacks, forged documentation,
and blackmailing WikiLeaks supporter and Salon journalist Glenn Greenwald.

"I need to focus on taking care of my family and rebuilding
my reputation," Barr said. Stephen Colbert had mocked Barr's World of
Warcraft account and referenced some of the more embarrassing e-mails on The
Colbert Report last week.